Distinguish between browser close/refresh/back events for a secure site (asp.net 2.0)
This is a question I have also been trying to answer (and mainly finding only posts related to disabling back button navigation or doing a check if not the most recent page in browser history then tell the browser to go forward again, which is either ineffective or degrades user experience).
Basic premise of the issue is:
1. User logs into secure application.
2. User views sensitive data.
3. User (not knowing any better) leaves browser window open (even though they may have closed the Tab that was displaying the website, or navigated to a page outside of the site).
4. User or Second User opens new tab and either:
a. uses history to return to previous page containing sensitive data, or
b. types url of login page to web app, but due to persistence of asp.net (http-only) session cookie (not accessible to client side script), is automatically returned to the logged in page of the previous user displaying sensitive data.
If it is the same user who finds themselves still logged in, this may affect their perception of site security. If it is a separate user who views this data, then in this particular application, that would be a breach of confidentality and data protection).
I checked a few different 3rd party secure sites (e.g. online bank) and so far found 2 that have solved the issue (and one that had not) - for major browsers (assuming both javascipt and cookies are available, otherwise they probably dont allow access).
Any suggestions gratefully received..